How to configure Fortify build failure criteria on a CI server

Question
Answer
References

Question

How do I configure my CI server to report a build failure for Fortify?

Answer

Configuring a CI server for Fortify build failure is dependent on the type of CI server in use and generally requires the use of the Fortify Software Security Center (SSC) in absence of other integrations invoking Fortify SCA from the command-line.

Build failure condition for Fortify scans should indicate if there are unresolved critical or high issues. Scan issue checks should check that the latest versions of Fortify software and rulepacks are being used.

When using a Fortify SSC-based solution, the failure condition is set when uploading the scan to the SSC:

The scan file is uploaded to the SSC, is merged with the previously audited scan, and
any issues that match the failure criteria that are not marked as “Not an Issue” will trigger a failure.

The following filter should be set for the failureCriteria:

  [fortify priority order]:critical OR high

  [fortify priority order]:critical OR [fortify priority order]:high

Additionally, the default filterSet in the SSC must be set to “Security Auditor View”. If it is not, then the filterSet must be set to Security Auditor View on upload. See the guide for each CI Server plugin for information on how to set the filterSet.

The sections below provide guidance using SSC to fail on unresolved critical or high issues. However additional customization will be required to invoke SCA from the command line from within the CI server to check for latest versions of Fortify software and rulepacks.

Fortify Jenkins Plugin

See the Micro Focus Fortify Jenkins Plugin Users Guide for details on how to configure and set up the Fortify Jenkins Plugin on your Jenkins server. The failure condition is set in the fortifyUpload step using the failureCriteria parameter. The following example illustrates setting the failure condition to critical and high priority issues:

node {
    stage('Fortify Upload') {
        fortifyUpload appName: 'MyApp', appVersion: '1.0.0', resultsFile: 'MyApp.fpr',
        failureCriteria: '[fortify priority order]:critical OR high'
    }
}

Fortify Plugin for Bamboo

See the Fortify Plugin for Bamboo Documentation for details on how to configure and set up the Fortify Plugin for Bamboo on your Bamboo server. To set the failure condition, first enable uploads to the SSC by selecting, Upload Fortify SCA scan results to Fortify Software Security Center.

Configure the upload appropriately for your installation of SSC. See the Bamboo Documentation for details.

Set the failure condition in the Build failure criteria box:

[fortify priority order]:critical OR high

Fortify Azure DevOps Extension

See the Fortify Azure DevOps Extension Documentation for details on how to configure and set up the Fortify Static Code Analyzer Assessment task to be run in the Azure DevOps agent. The documentation, however, does not indicate that setting a failure condition is possible. However, scan results may be uploaded to the SSC by selecting the Upload Results to SSC check box.

While it does not appear that the failure condition can be queried directly from the Fortify Azure DevOps Extension, once the results are loaded into the SSC, a REST query may be made to get the results from the SSC:

/ssc/api/v1/projectVersions/[versionid]/issues?q=[fortify+priority+order]:critical+OR+high&qm=issues